We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

New EU data protection law - Top ten things to think about now

New data protection laws will come into force across the EU on 25 May 2018. That might sound like a long time to get ready but – as our research here shows - it can take years to implement a full data strategy. And the risks of being unprepared could be costly: the new rules include fines of up to 4% of worldwide annual turnover. Here are ten points you should be thinking about now:

the extent to which you’ll be able to use personal data to develop new products and services – eg there will be stricter rules on getting consent to use data, and on automated profiling;

how to incorporate privacy issues into your business processes – eg you might need to carry out ‘data protection impact assessments’;

how you’ll meet the new obligations to quickly notify regulators and individuals if you suffer a data loss, like a hack;

whether to change your employment contracts or handbooks, and what data privacy training your staff will need to deal with the new rules;

how to anticipate and deal with requests from regulators for data about your employees, customers or others;

whether to change your management and governance structure to deal with the new rules: eg companies that process large amounts of data will have to appoint a data protection officer;

how to manage international data flows, both within your group and to third parties;

how to structure relationships with third parties, including data processors, to reallocate responsibilities and liability risks;

if your business is outside the EU, whether you’ll be caught by the new rules: certain non-EU businesses will – for the first time – be covered; and

how to structure M+A transactions involving data-rich targets – eg there are new rules on promptly giving notice to people if you buy their data from a third party.

The UK regulator has a useful guide to preparing for the new law: here. And we can expect to see more guidance from national regulators in the run-up to the new rules. This might be a good time to engage with regulators and legislators on areas that have been left to member state discretion – so you might want to get involved with lobbying groups within your industry.